Ensure that the Cross-Region Replication feature is enabled for your Amazon ECR container images.

Enabling Cross-Region replication for your registry makes copies of the repositories in one or more destination Regions. Application will start up faster when images stored are in multi-region, since this reduces latency and downtime.Since images are multi regional it also helps in achieving compliance in specific regions, and it will serve in disaster recovery for your application.

Suggest Edits

Risk Level: Low
Cloud Entity: AWS EcrRepository
CloudGuard Rule ID: D9.AWS.OPE.23
Covered by Spectral: No
Category: Compute

GSL LOGIC

EcrRepository should not have replicationConfiguration.rules isEmpty()

REMEDIATION

From Portal

  1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
  2. From the navigation bar, choose the Region to configure your registry replication settings for.
  3. In the navigation pane, choose Private registry.
  4. On the Private registry page, on the Replication section, choose Edit.
  5. On the Replication page, choose Add replication rule.
  6. On the Destination types page, choose enable cross-Region replication, then choose Next.
  7. Select one or more AWS regions as destination targets from the Destination regions drop-down list.
  8. On the Review and submit page, review the replication rule configuration and then choose Submit rule.

From TF
Use the resource "aws_ecr_replication_configuration" to configure replication. 

resource "aws_ecr_replication_configuration" "example" {
	replication_configuration {
		rule {
			destination {
				region      = "us-east-1"
				registry_id = registry_Id
			}
		}
	}
}

From Command Line

  1. Create a JSON file containing the replication rules to define for your registry.The JSON file would look like below ;
{
	"rules": [{
		"destinations": [{
			"region": "destination_region",
			"registryId": "destination_accountId"
		}],
		"repositoryFilters": [{
			"filter": "repository_prefix_name",
			"filterType": "PREFIX_MATCH"
		}]
	}]
}
  1. Create a replication configuration for your registry.
aws ecr put-replication-configuration --replication-configuration file://replication-settings.json --region us-west-2

References

  1. https://docs.aws.amazon.com/AmazonECR/latest/userguide/replication.html
  2. https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-settings-configure.html
  3. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_replication_configuration

AWS EcrRepository

Amazon Elastic Container Registry (Amazon ECR) provides API operations to create, monitor, and delete image repositories and set permissions that control who can access them. You can perform the same actions in the Repositories section of the Amazon ECR console. Amazon ECR also integrates with the Docker CLI, so that you push and pull images from your development environments to your repositories.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • CloudGuard AWS All Rules Ruleset

Updated 7 months ago